@remnic/core 9.3.685 → 9.3.686

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/dist/access-boundary.d.ts +2 -2
  2. package/dist/access-boundary.js +2 -2
  3. package/dist/access-cli.js +88 -7
  4. package/dist/access-cli.js.map +1 -1
  5. package/dist/access-http.d.ts +1 -1
  6. package/dist/access-http.js +5 -5
  7. package/dist/access-mcp.d.ts +12 -2
  8. package/dist/access-mcp.js +4 -4
  9. package/dist/access-operations.d.ts +8 -3
  10. package/dist/access-operations.js +5 -3
  11. package/dist/access-schema.d.ts +4 -4
  12. package/dist/{access-service-DeKrlYU_.d.ts → access-service-DmCHJ4cH.d.ts} +105 -29
  13. package/dist/access-service.d.ts +1 -1
  14. package/dist/access-service.js +1 -1
  15. package/dist/access-surface-catalog.d.ts +1 -1
  16. package/dist/access-surface-catalog.js +2 -0
  17. package/dist/access-surface-catalog.js.map +1 -1
  18. package/dist/{chunk-OFUULUSY.js → chunk-473JIN2U.js} +56 -5
  19. package/dist/chunk-473JIN2U.js.map +1 -0
  20. package/dist/{chunk-SQGPGC76.js → chunk-FUCUR2OZ.js} +540 -43
  21. package/dist/chunk-FUCUR2OZ.js.map +1 -0
  22. package/dist/{chunk-IIDSFFE5.js → chunk-KFBOZYME.js} +42 -3
  23. package/dist/chunk-KFBOZYME.js.map +1 -0
  24. package/dist/{chunk-PK6RGRSD.js → chunk-NN7QYW5W.js} +2 -2
  25. package/dist/chunk-NN7QYW5W.js.map +1 -0
  26. package/dist/{chunk-JPCKLFWK.js → chunk-QVMXQGT7.js} +6 -5
  27. package/dist/chunk-QVMXQGT7.js.map +1 -0
  28. package/dist/{chunk-BZISAF67.js → chunk-S2OU5DZY.js} +28 -6
  29. package/dist/chunk-S2OU5DZY.js.map +1 -0
  30. package/dist/{cli-D3-Q5Uod.d.ts → cli-D8nZ2MPH.d.ts} +1 -1
  31. package/dist/cli.d.ts +2 -2
  32. package/dist/cli.js +6 -6
  33. package/dist/index.d.ts +2 -2
  34. package/dist/index.js +6 -6
  35. package/dist/mcp-memory-inspector-app.d.ts +1 -1
  36. package/dist/schemas.d.ts +38 -38
  37. package/dist/transfer/types.d.ts +22 -22
  38. package/package.json +2 -2
  39. package/src/access-boundary.ts +2 -1
  40. package/src/access-cli.ts +94 -4
  41. package/src/access-http.ts +39 -1
  42. package/src/access-mcp.ts +54 -1
  43. package/src/access-operations.ts +66 -0
  44. package/src/access-service.ts +147 -62
  45. package/src/access-surface-catalog.test.ts +1 -1
  46. package/src/access-surface-catalog.ts +2 -0
  47. package/src/cli.ts +1 -0
  48. package/src/coding/decision-surfaces.test.ts +279 -0
  49. package/src/coding/decision-surfaces.ts +475 -0
  50. package/dist/chunk-BZISAF67.js.map +0 -1
  51. package/dist/chunk-IIDSFFE5.js.map +0 -1
  52. package/dist/chunk-JPCKLFWK.js.map +0 -1
  53. package/dist/chunk-OFUULUSY.js.map +0 -1
  54. package/dist/chunk-PK6RGRSD.js.map +0 -1
  55. package/dist/chunk-SQGPGC76.js.map +0 -1
@@ -3,7 +3,10 @@ import {
3
3
  } from "./chunk-UDJLF3BO.js";
4
4
  import {
5
5
  defineOperation
6
- } from "./chunk-PK6RGRSD.js";
6
+ } from "./chunk-NN7QYW5W.js";
7
+ import {
8
+ DECISION_SUBCOMMANDS
9
+ } from "./chunk-FUCUR2OZ.js";
7
10
 
8
11
  // src/access-operations.ts
9
12
  import { z } from "zod";
@@ -70,16 +73,52 @@ var memoryStoreOperation = defineOperation({
70
73
  return { result };
71
74
  }
72
75
  });
76
+ var codingDecisionSchema = z.preprocess(
77
+ (data) => {
78
+ if (data && typeof data === "object" && !Array.isArray(data)) {
79
+ const out = {};
80
+ for (const [k, v] of Object.entries(data)) {
81
+ if (v !== null) out[k] = v;
82
+ }
83
+ return out;
84
+ }
85
+ return data;
86
+ },
87
+ z.object({
88
+ subcommand: z.enum(DECISION_SUBCOMMANDS),
89
+ sessionKey: z.string().trim().max(512).optional(),
90
+ namespace: z.string().trim().max(256).optional(),
91
+ id: z.string().trim().max(512).optional(),
92
+ title: z.string().trim().max(512).optional(),
93
+ status: z.string().trim().max(64).optional(),
94
+ context: z.string().trim().max(8192).optional(),
95
+ decision: z.string().trim().max(8192).optional(),
96
+ consequences: z.string().trim().max(8192).optional(),
97
+ entityRefs: z.array(z.string().trim().min(1).max(256)).optional(),
98
+ supersedesId: z.string().trim().max(512).optional()
99
+ })
100
+ );
101
+ var codingDecisionOperation = defineOperation({
102
+ name: "coding_decision",
103
+ description: "List, get, record, or supersede decision records in the session's coding namespace (issue #1548 Track A).",
104
+ schema: codingDecisionSchema,
105
+ handler: async (input, ctx) => {
106
+ const result = await ctx.service.codingDecision(input, ctx.authenticatedPrincipal);
107
+ return { result };
108
+ }
109
+ });
73
110
  var REGISTERED_OPERATIONS = [
74
111
  memoryGetOperation.spec.name,
75
112
  memorySearchOperation.spec.name,
76
- memoryStoreOperation.spec.name
113
+ memoryStoreOperation.spec.name,
114
+ codingDecisionOperation.spec.name
77
115
  ];
78
116
 
79
117
  export {
80
118
  memoryGetOperation,
81
119
  memorySearchOperation,
82
120
  memoryStoreOperation,
121
+ codingDecisionOperation,
83
122
  REGISTERED_OPERATIONS
84
123
  };
85
- //# sourceMappingURL=chunk-IIDSFFE5.js.map
124
+ //# sourceMappingURL=chunk-KFBOZYME.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/access-operations.ts"],"sourcesContent":["/**\n * Pilot operation definitions for the access boundary (issue #1525).\n *\n * Three operations migrate through the registry in this PR — `memory_get`,\n * `memory_search`, and the `memory_store` write op — so the boundary's\n * normalization matrix (rules 17/28/36/48/51) and shared error mapping reach\n * MCP, HTTP, and CLI from one place. Domain-group migrations (memory ops →\n * connectors → namespaces …) land as follow-up PRs that add `defineOperation`\n * calls here and delete the surface-local validation they replace.\n *\n * Importing this module for its side effects registers the pilot operations;\n * surfaces then dispatch via {@link getOperation} from `./access-boundary.js`.\n */\n\nimport { z } from \"zod\";\n\nimport { defineOperation } from \"./access-boundary.js\";\nimport { memoryStoreRequestSchema, type MemoryStoreRequest } from \"./access-schema.js\";\nimport type {\n EngramAccessMemoryResponse,\n EngramAccessWriteResponse,\n} from \"./access-service.js\";\nimport {\n DECISION_SUBCOMMANDS,\n type DecisionSurfaceRequest,\n type DecisionSurfaceResponse,\n} from \"./coding/decision-surfaces.js\";\n\n// ---------------------------------------------------------------------------\n// memory_get — fetch one memory by id\n// ---------------------------------------------------------------------------\n\n/**\n * `memoryId` is required and non-empty (rule 51: the MCP dispatcher previously\n * fell back to `typeof args.memoryId === \"string\" ? args.memoryId : \"\"`,\n * silently passing an empty id into the service). `namespace` is\n * `.nullable().optional()` because MCP clients send `null` (gotcha #2).\n * `namespace` has no `.min(1)` because the pre-boundary handlers forwarded\n * empty/whitespace strings, and `resolveNamespace` treats empty identically\n * to absent (both trim to falsy → default namespace). Rejecting empty would\n * break HTTP callers that send a bare `?namespace=` (Cursor review).\n */\nconst memoryGetSchema = z.object({\n memoryId: z.string().trim().min(1, \"memoryId is required\").max(512),\n namespace: z.string().trim().max(256).nullable().optional(),\n});\n\nexport interface MemoryGetInput {\n readonly memoryId: string;\n readonly namespace?: string | null;\n}\n\nexport interface MemoryGetOutput {\n readonly result: EngramAccessMemoryResponse;\n}\n\nexport const memoryGetOperation = defineOperation<MemoryGetInput, MemoryGetOutput>({\n name: \"memory_get\",\n description: \"Fetch one memory by id.\",\n schema: memoryGetSchema,\n handler: async (input, ctx) => {\n const result = await ctx.service.memoryGet(\n input.memoryId,\n input.namespace ?? undefined,\n ctx.authenticatedPrincipal,\n );\n return { result };\n },\n});\n\n// ---------------------------------------------------------------------------\n// memory_search — semantic search across memories\n// ---------------------------------------------------------------------------\n\nconst memorySearchSchema = z.object({\n query: z.string().trim().min(1, \"query is required\").max(2048),\n namespace: z.string().trim().max(256).nullable().optional(),\n // No upper cap: the pre-boundary MCP handler forwarded any finite number to\n // memorySearch, and the QMD/search backends honor large limits. Capping at\n // 100 would reject existing clients that request larger result sets.\n maxResults: z.number().int().min(1).nullable().optional(),\n collection: z.string().trim().min(1).max(256).nullable().optional(),\n});\n\nexport interface MemorySearchInput {\n readonly query: string;\n readonly namespace?: string | null;\n readonly maxResults?: number | null;\n readonly collection?: string | null;\n}\n\nexport interface MemorySearchOutput {\n readonly result: {\n readonly query: string;\n readonly results: ReadonlyArray<{ path: string; score: number; snippet: string }>;\n readonly count: number;\n };\n}\n\nexport const memorySearchOperation = defineOperation<MemorySearchInput, MemorySearchOutput>({\n name: \"memory_search\",\n description: \"Search memories across readable namespaces.\",\n schema: memorySearchSchema,\n handler: async (input, ctx) => {\n const result = await ctx.service.memorySearch({\n query: input.query,\n namespace: input.namespace ?? undefined,\n maxResults: input.maxResults ?? undefined,\n collection: input.collection ?? undefined,\n principal: ctx.authenticatedPrincipal,\n });\n return { result };\n },\n});\n\n// ---------------------------------------------------------------------------\n// memory_store — the pilot WRITE op\n// ---------------------------------------------------------------------------\n\nexport type MemoryStoreInput = MemoryStoreRequest;\n\nexport interface MemoryStoreOutput {\n readonly result: EngramAccessWriteResponse;\n}\n\nexport const memoryStoreOperation = defineOperation<MemoryStoreInput, MemoryStoreOutput>({\n name: \"memory_store\",\n description: \"Store an explicit memory through the access layer.\",\n // Reuse the existing schema verbatim — the migration is behavior-preserving;\n // the schema's external contract is NOT changing in this PR (per the issue's\n // pitfall note).\n schema: memoryStoreRequestSchema,\n handler: async (input, ctx) => {\n const result = await ctx.service.memoryStore(\n {\n ...input,\n authenticatedPrincipal: ctx.authenticatedPrincipal,\n },\n // Forward transport-level hooks (e.g. HTTP's atomic write-quota gate)\n // so the hook still fires inside the service's idempotent-write lock —\n // never before, never on a replay (#1434 invariant preserved by the\n // boundary migration).\n\n ctx.hooks,\n );\n return { result };\n },\n});\n\n// ---------------------------------------------------------------------------\n// coding_decision — decision-record surfaces (issue #1548 Track A PR 2)\n// ---------------------------------------------------------------------------\n\n/**\n * The subcommand field is required and MUST be one of the four valid values\n * (rule 51 — reject loudly, list the options, never silently default). The\n * remaining fields are optional because each subcommand uses a different\n * subset; the handler validates subcommand-specific requirements after\n * routing.\n */\n/**\n * MCP clients send `null` for absent optional fields. Zod `.optional()`\n * rejects `null`, so strip nulls at the object level before the inner\n * schema validates (review: cursor null-field thread).\n */\nconst codingDecisionSchema = z.preprocess(\n (data) => {\n if (data && typeof data === \"object\" && !Array.isArray(data)) {\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(data as Record<string, unknown>)) {\n if (v !== null) out[k] = v;\n }\n return out;\n }\n return data;\n },\n z.object({\n subcommand: z.enum(DECISION_SUBCOMMANDS),\n sessionKey: z.string().trim().max(512).optional(),\n namespace: z.string().trim().max(256).optional(),\n id: z.string().trim().max(512).optional(),\n title: z.string().trim().max(512).optional(),\n status: z.string().trim().max(64).optional(),\n context: z.string().trim().max(8192).optional(),\n decision: z.string().trim().max(8192).optional(),\n consequences: z.string().trim().max(8192).optional(),\n entityRefs: z.array(z.string().trim().min(1).max(256)).optional(),\n supersedesId: z.string().trim().max(512).optional(),\n }),\n);\n\nexport type CodingDecisionInput = DecisionSurfaceRequest;\nexport type CodingDecisionOutput = { result: DecisionSurfaceResponse };\n\nexport const codingDecisionOperation = defineOperation<\n CodingDecisionInput,\n CodingDecisionOutput\n>({\n name: \"coding_decision\",\n description:\n \"List, get, record, or supersede decision records in the session's coding namespace (issue #1548 Track A).\",\n schema: codingDecisionSchema as z.ZodType<CodingDecisionInput>,\n handler: async (input, ctx) => {\n const result = await ctx.service.codingDecision(input, ctx.authenticatedPrincipal);\n return { result };\n },\n});\n\n// ---------------------------------------------------------------------------\n// Surface registration map — what each transport calls the pilot ops\n// ---------------------------------------------------------------------------\n\n/**\n * The canonical short names (no `engram.`/`remnic.` prefix) of the operations\n * the boundary owns today. The fitness test treats this set as the migrated\n * set; everything else on a surface is unmigrated and counted by the ratchet.\n */\nexport const REGISTERED_OPERATIONS = [\n memoryGetOperation.spec.name,\n memorySearchOperation.spec.name,\n memoryStoreOperation.spec.name,\n codingDecisionOperation.spec.name,\n] as const;\n"],"mappings":";;;;;;;;;;;AAcA,SAAS,SAAS;AA4BlB,IAAM,kBAAkB,EAAE,OAAO;AAAA,EAC/B,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,GAAG,sBAAsB,EAAE,IAAI,GAAG;AAAA,EAClE,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE,SAAS,EAAE,SAAS;AAC5D,CAAC;AAWM,IAAM,qBAAqB,gBAAiD;AAAA,EACjF,MAAM;AAAA,EACN,aAAa;AAAA,EACb,QAAQ;AAAA,EACR,SAAS,OAAO,OAAO,QAAQ;AAC7B,UAAM,SAAS,MAAM,IAAI,QAAQ;AAAA,MAC/B,MAAM;AAAA,MACN,MAAM,aAAa;AAAA,MACnB,IAAI;AAAA,IACN;AACA,WAAO,EAAE,OAAO;AAAA,EAClB;AACF,CAAC;AAMD,IAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,GAAG,mBAAmB,EAAE,IAAI,IAAI;AAAA,EAC7D,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA,EAI1D,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,SAAS,EAAE,SAAS;AAAA,EACxD,YAAY,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS,EAAE,SAAS;AACpE,CAAC;AAiBM,IAAM,wBAAwB,gBAAuD;AAAA,EAC1F,MAAM;AAAA,EACN,aAAa;AAAA,EACb,QAAQ;AAAA,EACR,SAAS,OAAO,OAAO,QAAQ;AAC7B,UAAM,SAAS,MAAM,IAAI,QAAQ,aAAa;AAAA,MAC5C,OAAO,MAAM;AAAA,MACb,WAAW,MAAM,aAAa;AAAA,MAC9B,YAAY,MAAM,cAAc;AAAA,MAChC,YAAY,MAAM,cAAc;AAAA,MAChC,WAAW,IAAI;AAAA,IACjB,CAAC;AACD,WAAO,EAAE,OAAO;AAAA,EAClB;AACF,CAAC;AAYM,IAAM,uBAAuB,gBAAqD;AAAA,EACvF,MAAM;AAAA,EACN,aAAa;AAAA;AAAA;AAAA;AAAA,EAIb,QAAQ;AAAA,EACR,SAAS,OAAO,OAAO,QAAQ;AAC7B,UAAM,SAAS,MAAM,IAAI,QAAQ;AAAA,MAC/B;AAAA,QACE,GAAG;AAAA,QACH,wBAAwB,IAAI;AAAA,MAC9B;AAAA;AAAA;AAAA;AAAA;AAAA,MAMA,IAAI;AAAA,IACN;AACA,WAAO,EAAE,OAAO;AAAA,EAClB;AACF,CAAC;AAkBD,IAAM,uBAAuB,EAAE;AAAA,EAC7B,CAAC,SAAS;AACR,QAAI,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,QAAQ,IAAI,GAAG;AAC5D,YAAM,MAA+B,CAAC;AACtC,iBAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,IAA+B,GAAG;AACpE,YAAI,MAAM,KAAM,KAAI,CAAC,IAAI;AAAA,MAC3B;AACA,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT;AAAA,EACA,EAAE,OAAO;AAAA,IACP,YAAY,EAAE,KAAK,oBAAoB;AAAA,IACvC,YAAY,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,IAChD,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,IAC/C,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,IACxC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,IAC3C,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,SAAS;AAAA,IAC3C,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,IAAI,EAAE,SAAS;AAAA,IAC9C,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,IAAI,EAAE,SAAS;AAAA,IAC/C,cAAc,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,IAAI,EAAE,SAAS;AAAA,IACnD,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,EAAE,SAAS;AAAA,IAChE,cAAc,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EACpD,CAAC;AACH;AAKO,IAAM,0BAA0B,gBAGrC;AAAA,EACA,MAAM;AAAA,EACN,aACE;AAAA,EACF,QAAQ;AAAA,EACR,SAAS,OAAO,OAAO,QAAQ;AAC7B,UAAM,SAAS,MAAM,IAAI,QAAQ,eAAe,OAAO,IAAI,sBAAsB;AACjF,WAAO,EAAE,OAAO;AAAA,EAClB;AACF,CAAC;AAWM,IAAM,wBAAwB;AAAA,EACnC,mBAAmB,KAAK;AAAA,EACxB,sBAAsB,KAAK;AAAA,EAC3B,qBAAqB,KAAK;AAAA,EAC1B,wBAAwB,KAAK;AAC/B;","names":[]}
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  EngramAccessInputError
3
- } from "./chunk-SQGPGC76.js";
3
+ } from "./chunk-FUCUR2OZ.js";
4
4
  import {
5
5
  expandTildePath
6
6
  } from "./chunk-EYIEWJNI.js";
@@ -104,4 +104,4 @@ export {
104
104
  listRegisteredOperations,
105
105
  __resetRegistryForTest
106
106
  };
107
- //# sourceMappingURL=chunk-PK6RGRSD.js.map
107
+ //# sourceMappingURL=chunk-NN7QYW5W.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/access-boundary.ts"],"sourcesContent":["/**\n * Single input-validation and error boundary for the CLI/MCP/HTTP access\n * surfaces (issue #1525, epic #1520 Phase 1).\n *\n * Every operation that crosses the access-service facade passes through ONE\n * registry entry: a zod-validated request envelope, a shared error mapper,\n * and the \"reject invalid input and list valid options\" behavior that\n * CLAUDE.md rules 14/17/24/28/36/48/51 previously had to be re-implemented\n * per handler. The three surfaces become thin adapters — one operation\n * definition, three transports — so a validation fix lands everywhere at\n * once.\n *\n * Host-agnostic (rule 31): operation names carry no `openclaw-*`/`engram-*`\n * prefix. Session/namespace tenancy stays in the handler layer (resolved via\n * ScopePlan #1521); the boundary validates SHAPE, not tenancy.\n */\n\nimport { z } from \"zod\";\nimport { EngramAccessInputError, type EngramAccessService } from \"./access-service.js\";\nimport { expandTildePath } from \"./utils/path.js\";\n\n// ---------------------------------------------------------------------------\n// Canonical operation names — host-agnostic (rule 31)\n// ---------------------------------------------------------------------------\n\n/**\n * Canonical operation ids. One id is shared by the MCP tool, the HTTP route,\n * and the CLI command that expose the same operation. Add to this union as\n * each domain-group migration PR (memory ops → connectors → namespaces …)\n * lands; the fitness test in `access-surface-catalog.test.ts` treats the\n * registered set as the migration state.\n */\nexport type OperationName =\n | \"memory_get\"\n | \"memory_search\"\n | \"memory_store\"\n | \"coding_decision\";\n\n// ---------------------------------------------------------------------------\n// Operation context — what every handler receives\n// ---------------------------------------------------------------------------\n\n/**\n * Per-call context. `service` is the facade the handler delegates to; the\n * boundary never reaches past it. `authenticatedPrincipal` is resolved by\n * the SURFACE (MCP header / HTTP identity / CLI flag) before the boundary\n * runs, so handlers stay principal-source-agnostic. `hooks` carries\n * transport-level callbacks (e.g. HTTP write-quota enforcement) that must\n * fire atomically inside the service call; surfaces that have no such hook\n * leave it undefined.\n */\nexport interface OperationContext {\n readonly service: EngramAccessService;\n readonly authenticatedPrincipal?: string;\n readonly hooks?: OperationHooks;\n}\n\n/**\n * Transport-level callbacks a handler forwards into the service call. Kept\n * narrow on purpose: the boundary owns validation + dispatch shape, not\n * transport policy. Add fields here only when a surface genuinely needs a\n * callback the service itself consumes.\n */\nexport interface OperationHooks {\n /** HTTP write-quota gate; throws to reject the write when exhausted. */\n readonly enforceWriteQuota?: () => void | Promise<void>;\n}\n\n// ---------------------------------------------------------------------------\n// Operation spec + bound operation\n// ---------------------------------------------------------------------------\n\nexport interface OperationSpec<In, Out> {\n /** Canonical operation id; matches an {@link OperationName}. */\n readonly name: OperationName;\n readonly description: string;\n /** Zod schema validating the raw request envelope. */\n readonly schema: z.ZodType<In>;\n /** Handler invoked with the parsed input; throws EngramAccessInputError for domain faults. */\n readonly handler: (input: In, ctx: OperationContext) => Promise<Out>;\n}\n\nexport interface BoundOperation<In = unknown, Out = unknown> {\n readonly spec: OperationSpec<In, Out>;\n /** Validate the raw envelope, then invoke the handler. Throws EngramAccessInputError on any validation failure. */\n readonly run: (rawInput: unknown, ctx: OperationContext) => Promise<Out>;\n}\n\n// ---------------------------------------------------------------------------\n// Shared normalizers the boundary owns (rules 17, 28, 36, 48, 51)\n// ---------------------------------------------------------------------------\n\n/**\n * Coerce boolean-like strings at the edge (rule 36). Accepts actual booleans\n * and the string spellings clients send (\"true\"/\"false\"/\"1\"/\"0\"/\"yes\"/\"no\"/\n * \"on\"/\"off\", case-insensitive). Rejects anything else loudly — `Boolean(\"false\")`\n * would silently be `true`, which is the bug rule 36 exists to prevent.\n *\n * `undefined`/`null`/`\"\"` → `undefined`, so callers can keep treating an\n * absent flag as \"use the default\" without a separate presence check.\n */\nexport function coerceBooleanLike(value: unknown): boolean | undefined {\n if (value === undefined || value === null || value === \"\") return undefined;\n if (typeof value === \"boolean\") return value;\n if (typeof value === \"string\") {\n const lower = value.trim().toLowerCase();\n if (lower === \"true\" || lower === \"1\" || lower === \"yes\" || lower === \"on\") return true;\n if (lower === \"false\" || lower === \"0\" || lower === \"no\" || lower === \"off\") return false;\n }\n throw new EngramAccessInputError(\n `expected a boolean-like value (true|false|1|0|yes|no|on|off); got ${JSON.stringify(value)}`,\n );\n}\n\n/**\n * Coerce + validate a positive integer from a numeric string or number\n * (rule 28). Loosely-typed MCP/CLI clients send `\"5\"`; `typeof saved === \"number\"`\n * on read-back would reject it later, so we coerce at the edge and reject\n * booleans/objects loudly (`Number(true) === 1` would silently pass otherwise).\n *\n * `undefined`/`null`/`\"\"` → `undefined`.\n */\nexport function coercePositiveInteger(value: unknown, label: string): number | undefined {\n if (value === undefined || value === null || value === \"\") return undefined;\n if (typeof value === \"number\") {\n if (!Number.isFinite(value) || value <= 0 || !Number.isInteger(value)) {\n throw new EngramAccessInputError(`${label} expects a positive integer; got ${JSON.stringify(value)}`);\n }\n return value;\n }\n if (typeof value === \"string\") {\n const trimmed = value.trim();\n if (!/^[+-]?\\d+$/.test(trimmed)) {\n throw new EngramAccessInputError(`${label} expects a positive integer; got ${JSON.stringify(value)}`);\n }\n const parsed = Number(trimmed);\n if (!Number.isSafeInteger(parsed) || parsed <= 0) {\n throw new EngramAccessInputError(`${label} expects a positive integer; got ${JSON.stringify(value)}`);\n }\n return parsed;\n }\n throw new EngramAccessInputError(`${label} expects a positive integer; got ${JSON.stringify(value)}`);\n}\n\n/**\n * Expand `~` in a path-shaped input (rule 17). Node `fs` does NOT expand `~`;\n * ad-hoc regex drifts. `undefined`/`null`/`\"\"` → `undefined`.\n */\nexport function normalizeOptionalPath(value: unknown): string | undefined {\n if (value === undefined || value === null || value === \"\") return undefined;\n if (typeof value !== \"string\") {\n throw new EngramAccessInputError(`expected a path string; got ${JSON.stringify(value)}`);\n }\n return expandTildePath(value);\n}\n\n// ---------------------------------------------------------------------------\n// Error formatting — rule 51: list valid options, never silently default\n// ---------------------------------------------------------------------------\n\n/**\n * Turn a zod failure into an {@link EngramAccessInputError} whose message\n * names the offending field and — for enum/union issues — lists the valid\n * options, so the caller can correct rather than guess (rule 51).\n */\nexport function formatZodIssues(error: z.ZodError): string {\n const parts: string[] = [];\n for (const issue of error.issues) {\n const path = issue.path.length > 0 ? issue.path.join(\".\") : \"(root)\";\n const options = enumOptionsFromIssue(issue);\n const suffix = options ? `. Valid: ${options.join(\", \")}` : \"\";\n parts.push(`${path}: ${issue.message}${suffix}`);\n }\n return parts.length > 0\n ? `request validation failed: ${parts.join(\"; \")}`\n : \"request validation failed\";\n}\n\nfunction enumOptionsFromIssue(issue: z.ZodIssue): readonly string[] | undefined {\n // zod exposes accepted enum values on the issue for ZodEnum / ZodNativeEnum\n // and on the options of invalid_union discriminators. Reading them here\n // keeps \"list valid options\" in ONE place rather than per handler.\n if (issue.code === z.ZodIssueCode.invalid_enum_value) {\n const rawOptions = (issue as { options?: unknown }).options;\n if (Array.isArray(rawOptions)) {\n return rawOptions.map((opt) => String(opt));\n }\n }\n return undefined;\n}\n\n// ---------------------------------------------------------------------------\n// Registry\n// ---------------------------------------------------------------------------\n\nconst registry = new Map<OperationName, BoundOperation>();\n\n/**\n * Register an operation. Throws if the name is already registered — duplicate\n * registration is a programming error, not a runtime input fault, so it throws\n * a plain Error (not the input-error class surfaces translate for clients).\n */\nexport function defineOperation<In, Out>(spec: OperationSpec<In, Out>): BoundOperation<In, Out> {\n if (registry.has(spec.name)) {\n throw new Error(`access-boundary: operation already registered: ${spec.name}`);\n }\n const bound: BoundOperation<In, Out> = {\n spec,\n run: async (rawInput, ctx) => {\n const parseResult = spec.schema.safeParse(rawInput);\n if (!parseResult.success) {\n throw new EngramAccessInputError(formatZodIssues(parseResult.error));\n }\n return spec.handler(parseResult.data, ctx);\n },\n };\n // Store under the canonical name; the cast is safe because In/Out are\n // erased at the registry boundary and recovered by callers via getOperation.\n registry.set(spec.name, bound as unknown as BoundOperation);\n return bound;\n}\n\n/** Look up a registered operation by canonical name. */\nexport function getOperation(name: OperationName): BoundOperation | undefined {\n return registry.get(name);\n}\n\n/** All registered operation names. */\nexport function listRegisteredOperations(): readonly OperationName[] {\n return [...registry.keys()];\n}\n\n/** Test-only: clear the registry so pilot definitions can be re-registered. */\nexport function __resetRegistryForTest(): void {\n registry.clear();\n}\n"],"mappings":";;;;;;;;AAiBA,SAAS,SAAS;AAoFX,SAAS,kBAAkB,OAAqC;AACrE,MAAI,UAAU,UAAa,UAAU,QAAQ,UAAU,GAAI,QAAO;AAClE,MAAI,OAAO,UAAU,UAAW,QAAO;AACvC,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,QAAQ,MAAM,KAAK,EAAE,YAAY;AACvC,QAAI,UAAU,UAAU,UAAU,OAAO,UAAU,SAAS,UAAU,KAAM,QAAO;AACnF,QAAI,UAAU,WAAW,UAAU,OAAO,UAAU,QAAQ,UAAU,MAAO,QAAO;AAAA,EACtF;AACA,QAAM,IAAI;AAAA,IACR,qEAAqE,KAAK,UAAU,KAAK,CAAC;AAAA,EAC5F;AACF;AAUO,SAAS,sBAAsB,OAAgB,OAAmC;AACvF,MAAI,UAAU,UAAa,UAAU,QAAQ,UAAU,GAAI,QAAO;AAClE,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,CAAC,OAAO,SAAS,KAAK,KAAK,SAAS,KAAK,CAAC,OAAO,UAAU,KAAK,GAAG;AACrE,YAAM,IAAI,uBAAuB,GAAG,KAAK,oCAAoC,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,IACtG;AACA,WAAO;AAAA,EACT;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,UAAU,MAAM,KAAK;AAC3B,QAAI,CAAC,aAAa,KAAK,OAAO,GAAG;AAC/B,YAAM,IAAI,uBAAuB,GAAG,KAAK,oCAAoC,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,IACtG;AACA,UAAM,SAAS,OAAO,OAAO;AAC7B,QAAI,CAAC,OAAO,cAAc,MAAM,KAAK,UAAU,GAAG;AAChD,YAAM,IAAI,uBAAuB,GAAG,KAAK,oCAAoC,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,IACtG;AACA,WAAO;AAAA,EACT;AACA,QAAM,IAAI,uBAAuB,GAAG,KAAK,oCAAoC,KAAK,UAAU,KAAK,CAAC,EAAE;AACtG;AAMO,SAAS,sBAAsB,OAAoC;AACxE,MAAI,UAAU,UAAa,UAAU,QAAQ,UAAU,GAAI,QAAO;AAClE,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,IAAI,uBAAuB,+BAA+B,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,EACzF;AACA,SAAO,gBAAgB,KAAK;AAC9B;AAWO,SAAS,gBAAgB,OAA2B;AACzD,QAAM,QAAkB,CAAC;AACzB,aAAW,SAAS,MAAM,QAAQ;AAChC,UAAM,OAAO,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,GAAG,IAAI;AAC5D,UAAM,UAAU,qBAAqB,KAAK;AAC1C,UAAM,SAAS,UAAU,YAAY,QAAQ,KAAK,IAAI,CAAC,KAAK;AAC5D,UAAM,KAAK,GAAG,IAAI,KAAK,MAAM,OAAO,GAAG,MAAM,EAAE;AAAA,EACjD;AACA,SAAO,MAAM,SAAS,IAClB,8BAA8B,MAAM,KAAK,IAAI,CAAC,KAC9C;AACN;AAEA,SAAS,qBAAqB,OAAkD;AAI9E,MAAI,MAAM,SAAS,EAAE,aAAa,oBAAoB;AACpD,UAAM,aAAc,MAAgC;AACpD,QAAI,MAAM,QAAQ,UAAU,GAAG;AAC7B,aAAO,WAAW,IAAI,CAAC,QAAQ,OAAO,GAAG,CAAC;AAAA,IAC5C;AAAA,EACF;AACA,SAAO;AACT;AAMA,IAAM,WAAW,oBAAI,IAAmC;AAOjD,SAAS,gBAAyB,MAAuD;AAC9F,MAAI,SAAS,IAAI,KAAK,IAAI,GAAG;AAC3B,UAAM,IAAI,MAAM,kDAAkD,KAAK,IAAI,EAAE;AAAA,EAC/E;AACA,QAAM,QAAiC;AAAA,IACrC;AAAA,IACA,KAAK,OAAO,UAAU,QAAQ;AAC5B,YAAM,cAAc,KAAK,OAAO,UAAU,QAAQ;AAClD,UAAI,CAAC,YAAY,SAAS;AACxB,cAAM,IAAI,uBAAuB,gBAAgB,YAAY,KAAK,CAAC;AAAA,MACrE;AACA,aAAO,KAAK,QAAQ,YAAY,MAAM,GAAG;AAAA,IAC3C;AAAA,EACF;AAGA,WAAS,IAAI,KAAK,MAAM,KAAkC;AAC1D,SAAO;AACT;AAGO,SAAS,aAAa,MAAiD;AAC5E,SAAO,SAAS,IAAI,IAAI;AAC1B;AAGO,SAAS,2BAAqD;AACnE,SAAO,CAAC,GAAG,SAAS,KAAK,CAAC;AAC5B;AAGO,SAAS,yBAA+B;AAC7C,WAAS,MAAM;AACjB;","names":[]}
@@ -216,16 +216,16 @@ import {
216
216
  } from "./chunk-OADWQ5CR.js";
217
217
  import {
218
218
  EngramAccessHttpServer
219
- } from "./chunk-BZISAF67.js";
219
+ } from "./chunk-S2OU5DZY.js";
220
220
  import {
221
221
  WearablesInputError
222
222
  } from "./chunk-7WV3F5DQ.js";
223
223
  import {
224
224
  EngramMcpServer
225
- } from "./chunk-OFUULUSY.js";
225
+ } from "./chunk-473JIN2U.js";
226
226
  import {
227
227
  EngramAccessService
228
- } from "./chunk-SQGPGC76.js";
228
+ } from "./chunk-FUCUR2OZ.js";
229
229
  import {
230
230
  WorkStorage
231
231
  } from "./chunk-GDB4J2H3.js";
@@ -2264,7 +2264,8 @@ async function runAccessMcpServeCliCommand(service, options = {}) {
2264
2264
  emitLegacyTools: options.emitLegacyTools
2265
2265
  }) ?? new EngramMcpServer(service, {
2266
2266
  principal: options.principal,
2267
- emitLegacyTools: options.emitLegacyTools
2267
+ emitLegacyTools: options.emitLegacyTools,
2268
+ codingDecisionVisible: service.decisionRecordSurfaceVisible
2268
2269
  });
2269
2270
  await server.runStdio(options.stdin ?? process.stdin, options.stdout ?? process.stdout);
2270
2271
  return { ok: true };
@@ -7310,4 +7311,4 @@ export {
7310
7311
  listMemoryMarkdownFilePaths,
7311
7312
  registerCli
7312
7313
  };
7313
- //# sourceMappingURL=chunk-JPCKLFWK.js.map
7314
+ //# sourceMappingURL=chunk-QVMXQGT7.js.map